Home > Vulnerability Database > CVE-2024-36129

Mend.io Vulnerability Database

CVE-2024-36129

Good to know:

Date: June 5, 2024

The OpenTelemetry Collector offers a vendor-agnostic implementation on how to receive, process and export telemetry data. An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption. OTel Collector version 0.102.1 fixes this issue. It is also fixed in the confighttp module version 0.102.0 and configgrpc module version 0.102.1.

Language: Go

Severity Score

8.2

Related Resources (8)

Url: https://github.com/open-telemetry/opentelemetry-collector

Url: https://pkg.go.dev/vuln/GO-2024-2900

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-36129

Url: https://github.com/open-telemetry/opentelemetry-collector/pull/10323

Url: https://github.com/open-telemetry/opentelemetry-collector/pull/10289

Url: https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v

Url: https://opentelemetry.io/blog/2024/cve-2024-36129

Url: https://www.mend.io/vulnerability-database/CVE-2024-36129

Severity Score

8.2

Weakness Type (CWE)

Buffer Errors

CWE-119

Top Fix

Upgrade Version

Upgrade to version go.opentelemetry.io/collector/config/configgrpc-0.102.1, go.opentelemetry.io/collector/config/confighttp-0.102.0

Learn More

CVSS v3.1

Base Score:	8.2
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-36129

Good to know:

Date: June 5, 2024

Language: Go

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?